Microsoft Store Outlook add-in hijacked скачать в хорошем качестве

Microsoft Store Outlook add-in hijacked

Security researchers highlight a significant vulnerability in Microsoft Office add-ins, which function as remote dynamic dependencies that load external URLs within a trusted interface. Recent reports detail the first known instance of a malicious add-in, AgreeTo, being hijacked after its original developer abandoned a Vercel-hosted domain. An attacker claimed the orphaned URL to deploy a phishing kit, successfully stealing over 4,000 sets of credentials and financial data from unsuspecting users. Because Microsoft only reviews the initial manifest file upon submission, the live content of an add-in can be modified at any time without further oversight. This architectural flaw allows attackers to maintain persistent mailbox access and bypass traditional security gateways that do not inspect these iframe-based tools. Experts warn that social engineering can make these malicious tools appear legitimate, posing a long-term threat to the integrity of official software marketplaces.